Skip to content

Update STUN servers in Snowflake builtin bridges

Cecylia Bocovich requested to merge cohosh/tor-browser-build:update-stun into main

Merge Info

Issues

Resolves

Related

Merging

Target Branches

  • main: esr128-14.5
  • maint-14.0: esr128-14.0
  • maint-13.5: esr115-13.5

Backporting

Timeline

  • No Backport (preferred): patchset for the next major stable
  • Immediate: patchset needed as soon as possible
  • Next Minor Stable Release: patchset that needs to be verified in nightly before backport
  • Eventually: patchset that needs to be verified in alpha before backport

I'll leave the timeline up to you, I've tested the bridge lines, they are shorter than before. If it's easy to deploy with the next release that would be ideal but it's not urgent.

(Optional) Justification

  • Emergency security update: patchset fixes CVEs, 0-days, etc
  • Censorship event: patchset enables censorship circumvention
  • Critical bug-fix: patchset fixes a bug in core-functionality
  • Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
  • Sponsor required: patchset required for sponsor
  • Other: please explain

This isn't critical, but a nice-to-have. The current snowflake bridge lines have several STUN servers that are not working reliably or don't support the features we need. Most of the time, users will get at least one working STUN server. In the worst case, they will not know their NAT type and will be matched with an unrestricted proxy which will work, but puts more strain on our resources.

Issue Tracking

Review

Request Reviewer

  • Request review from an applications developer depending on modified system:
    • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since gitlab only allows 1 reviewer)
    • accessibility : henry
    • android : clairehurst, dan
    • build system : boklm
    • extensions : ma1
    • firefox internals (XUL/JS/XPCOM) : jwilde, ma1
    • fonts : pierov
    • frontend (implementation) : henry
    • frontend (review) : donuts, morgan
    • localization : henry, pierov
    • macOS : clairehurst, dan
    • nightly builds : boklm
    • rebases/release-prep : boklm, dan, ma1, morgan, pierov
    • security : jwilde, ma1
    • signing : boklm, morgan
    • updater : pierov
    • windows : jwilde, morgan
    • misc/other : morgan, pierov

Change Description

Updated STUN servers in the builtin Snowflake bridge lines.

Removed:

  • stun.l.google.com:19302 (online, but doesn't support NAT discovery)
  • stun.bluesip.net:3478 (appears to be offline)
  • stun.dus.net:3478 (online, but doesn't support NAT discovery)
  • stun.sonetel.net:3478 (online, but appears to be misconfigured)
  • stun.voys.nl:3478 (online, but doesn't support NAT discovery)

Added:

  • stun.mixvoip.com:3478
  • stun.nextcloud.com:3478
  • stun.bethesda.net:3478
  • stun.nextcloud.com:443

How Tested

I manually copy-pasted the new bridge lines into Tor Browser and bootstrapped fully.

Edited by morgan

Merge request reports